Sandboxing is one of the most useful security solution, however the best practices are not always followed and malware can easily detect the sandbox environment. Sandbox are often misconfigured. With simple trick like hostname detection, mac address or process detection, malware can detect the environment.
Sandbox evasion capabilities allow malware to stay undetected during sandbox analysis.
Below is a list of all the sandbox evasion techniques in Unprotect Project:
|VMprotect||VMProtect is a Russian-made security envelope and file compressor utility that makes reverse engineering of protected software quite difficult.|
|VMware artifacts||Checking for memory artifacts||VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings "VMware", commonly used to detect memory artifacts.|
|Mac address detection||VMware uses specific virtual Mac address that can be detected by Malware. The usual mac address used are:
|Querying the I/O Communication Port|
|Anti-VM x86 Instruction||SIDT|
|Extended sleep code|
|Office RecentFiles property|